ACCES ssh par le client git, avec auth à base de paire de clés asymétriques RSA

[Jean-Baptiste-Lasselle]

Issue pour traiter un incident sur le gitlab de prod

Je n'arrive pas à faire ce coone :

export GIT_SSH_COMMAND='ssh -i ~/.ssh/id_rsa' && git clone "ssh://git@gitlab.kytes.io:2222/kytes-it/etudes/gantt-and-calendars/DHTMLX-DHX-COMPANY/gantt-angular2-recipe.git"

hors il devrait focntionner sans mot de passe, j'ai bien ajouté ma clé publique dans mon user gitlab, c'est certain. Voilà mon stdout d'erreurs:

[jibl@pc-100 tests-gantt-angular]$ export GIT_SSH_COMMAND='ssh -i ~/.ssh/id_rsa' && git clone "ssh://git@gitlab.kytes.io:2222/kytes-it/etudes/gantt-and-calendars/DHTMLX-DHX-COMPANY/gantt-angular2-recipe.git"
Cloning into 'gantt-angular2-recipe'...
Connection reset by 192.168.1.30 port 2222
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

J'ai une source qui me dit que :

sameersbn commented on Apr 5, 2014

@jwthomp Currently there are 2 ways you can do this.

As you have done, you can change the port number of the host ssh server and forward connections to port 22 to the container using the option -p 22:22 in the docker run command. There is no need to use haproxy.
Forward some other port on the host to port 22 of the container and use the GITLAB_SHELL_SSH_PORT configuration option to specify the forwarded port to the gitlab application so that the clone urls reflect this.

For example, add -p 10022:22 -e "GITLAB_SHELL_SSH_PORT=10022" to the docker run command. Now you will notice that the ssh clone urls in the gitlab server will change to the form ssh://git@git.local.host:10022/docker/docker-gitlab.git.

Donc au final, il faut que je fasse une intervention sur l'infra, pour tester puis ensuite, je versionnerai, et j'appliquerai, avec test backup/restore (ils ne doivent pas avoir de régression).

Intervention test 1

• J'ai vérifié, et en effet, je nai pas utilisé GITLAB_SHELL_SSH_PORT dans le ./docker-compose.yml de ma recette de provisionde l'infra Kytes.io (en quarantiane pour l'instant, deviendra la nouvelle recette officielle de provision de la production http://gitlab.kytes.io/kytes-it/infra/production/provision-production ). Donc J'ajoute simplement 1 variable d'environnemnt, celle indiquée par ma source :

    environment:
      - TZ=${TZ}
      - VERSION_IMAGE_GITLAB_CE=$GITLAB_CE_VERSION
      - GITLAB_HTTP_PORT_VIA_NGINX_INTERNE_GITLAB=$GITLAB_HTTP_PORT_VIA_NGINX_INTERNE_GITLAB
      # La valeur de `GITLAB_SSH_PORT` est définie dans le fichier `./.env`
      - GITLAB_SHELL_SSH_PORT=$GITLAB_SSH_PORT

[Jean-Baptiste-Lasselle]

Avec la variable d'environnement ajoutée, voici le résultat que j'obtiens :

• Au niveau de l'hôte de conteneurisation :

[jbl@pc-172 ~]$ telnet localhost 2222
Trying ::1...
Connected to localhost.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
^C
[jbl@pc-172 infra-kytes]$ ssh git@gitlab.kytes.io -p 2222
Connection reset by 192.168.1.32 port 2222
[jbl@pc-172 infra-kytes]$ 

• Au niveau de l'intérieur du conteneur gitlab :

[jbl@pc-172 ~]$ docker exec -it kytes_gitlab_service bash -c "telnet localhost 22"
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
^C
Connection closed by foreign host.
[jbl@pc-172 ~]$ docker exec -it kytes_gitlab_service bash -c "telnet 0.0.0.0 22"
Trying 0.0.0.0...
Connected to 0.0.0.0.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
^C
Connection closed by foreign host.
[jbl@pc-172 ~]$ docker exec -it kytes_gitlab_service bash -c "telnet gitlab.kytes.io 22"
Trying 172.18.0.7...
Connected to gitlab.kytes.io.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
exit
Protocol mismatch.
Connection closed by foreign host.
[jbl@pc-172 ~]$ docker exec -it kytes_gitlab_service bash -c "ssh git@gitlab.kytes.io:22"
ssh: Could not resolve hostname gitlab.kytes.io:22: Name or service not known
[jbl@pc-172 ~]$ docker exec -it kytes_gitlab_service bash -c "ssh git@gitlab.kytes.io -p 22"
Connection reset by 172.18.0.7 port 22
[jbl@pc-172 ~]$ 

Et dans tous les cas :

[jbl@pc-172 ~]$ export GIT_SSH_COMMAND='ssh -i ~/.ssh/id_rsa' && git clone "ssh://git@gitlab.kytes.io:2222/kytes-it/etudes/gantt-and-calendars/DHTMLX-DHX-COMPANY/gantt-angular2-recipe.git"
Cloning into 'gantt-angular2-recipe'...
Connection reset by 192.168.1.32 port 2222
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
[jbl@pc-172 ~]$ 

[Jean-Baptiste-Lasselle]

Ok, avec le test consistant à changer la valeur de l'adresse IP de binding interface réseau Hôte Docker, (de 0.0.0.0, à 192.168.1.32), donne un résultat positif, avec le cycle IAAC depuis le poste devops :

jbl@pc-alienware-jbl:~/test-iaac-kytes$ git clone "git@$NOM_HOTE_RESEAU_GITLAB:$NOM_COMPLET_GROUPE_GITLAB_DU_REPO/voyons.git" .
Cloning into '.'...
The authenticity of host '[gitlab.kytes.io]:2222 ([192.168.1.32]:2222)' can't be established.
ECDSA key fingerprint is SHA256:QxdW+6ER6d/DLjGnDtBZ2eRXQNV+tIWfrvizbTykgBg.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[gitlab.kytes.io]:2222,[192.168.1.32]:2222' (ECDSA) to the list of known hosts.
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Total 3 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (3/3), done.
jbl@pc-alienware-jbl:~/test-iaac-kytes$ ls -allh
total 16K
drwxr-xr-x  3 jbl jbl 4.0K Dec 29 16:27 .
drwxr-xr-x 50 jbl jbl 4.0K Dec 29 16:25 ..
drwxr-xr-x  8 jbl jbl 4.0K Dec 29 16:27 .git
-rw-r--r--  1 jbl jbl   42 Dec 29 16:27 README.md
jbl@pc-alienware-jbl:~/test-iaac-kytes$ cat README.md 
# voyons
pr test de l'acces SSH à gitlabjbl@pc-alienware-jbl:~/test-iaac-kytes$